From 5af3fe8e2cd633ea9519a5c0dc2e75ea65b3915b Mon Sep 17 00:00:00 2001
From: Cédric Ollivier <cedric.ollivier@orange.com>
Date: Fri, 16 Dec 2022 15:07:09 +0100
Subject: Harden Jenkins jobs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It allows any ssh connection from Ubuntu 22.04 and
precises the ssh user.

Change-Id: I660b88d5b1640f8057d4081226517abad94889db
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
---
 jjb/global/releng-macros.yaml              | 5 +++--
 jjb/releng/releng-release-create-branch.sh | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/jjb/global/releng-macros.yaml b/jjb/global/releng-macros.yaml
index 031e24070..ddf2a730e 100644
--- a/jjb/global/releng-macros.yaml
+++ b/jjb/global/releng-macros.yaml
@@ -358,7 +358,8 @@
               echo
               cat gerrit_comment.txt
               echo
-              ssh -p 29418 gerrit.opnfv.org \
+              ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' \
+                  -p 29418 jenkins-ci@gerrit.opnfv.org \
                   "gerrit review -p $GERRIT_PROJECT \
                    -m '$(cat gerrit_comment.txt)' \
                    $GERRIT_PATCHSET_REVISION \
@@ -419,7 +420,7 @@
               msg="Found syntax error and/or coding style violation(s) in the files modified by your patchset."
               sed -i -e "1s#^#${msg}\n\n#" violation.log
               cmd="gerrit review -p $GERRIT_PROJECT -m \"$(cat violation.log)\" $GERRIT_PATCHSET_REVISION --notify NONE"
-              ssh -p 29418 gerrit.opnfv.org "$cmd"
+              ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -p 29418 jenkins-ci@gerrit.opnfv.org "$cmd"
 
               # Make sure the caller job failed
               exit 1
diff --git a/jjb/releng/releng-release-create-branch.sh b/jjb/releng/releng-release-create-branch.sh
index bbb9257d7..917a4c721 100644
--- a/jjb/releng/releng-release-create-branch.sh
+++ b/jjb/releng/releng-release-create-branch.sh
@@ -44,7 +44,7 @@ fi
 run_merge(){
 unset NEW_FILES
 if [[ $REF_EXISTS = true && "$JOB_NAME" =~ "merge" ]]; then
-  ssh -n -f -p 29418 gerrit.opnfv.org gerrit create-branch "$repo" "$branch" "$ref"
+  ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -n -f -p 29418 jenkins-ci@gerrit.opnfv.org gerrit create-branch "$repo" "$branch" "$ref"
   python3 releases/scripts/create_jobs.py -f $release_file
   NEW_FILES=$(git status --porcelain --untracked=no | cut -c4-)
 fi
-- 
cgit 1.2.3-korg